How can a session be invalid just after creation? (sessionCookieRedirect)

stensonb · December 11, 2020, 5:48am

Here are my steps:

I have a command-line application which authenticates against the /api/v1/authn endpoint (and performs the 2FA challenge), and gets a state token.
Then I use the state token to get a session via the /login/sessionCookieRedirect endpoint, as described here: https://developer.okta.com/docs/guides/session-cookie/overview/#retrieving-a-session-cookie-by-visiting-a-session-redirect-link

Curiously, I get a 200 response (not a 302, as described in the doc referenced above). However, I also get a session returned as a cookie in that 200 response (“sid=…”).

Using the session token (as a cookie) from above, I call the /api/v1/sessions/me endpoint to get metadata about the session (expiration, etc). However, with some users, this call fails with the following error message:

{“errorCode”:“E0000007”,“errorSummary”:“Not found: Resource not found: me (Session)”,“errorLink”:“E0000007”,“errorId”:“oae8vk4wHDDTbSr7YgkNtXVAA”,“errorCauses”:}

With other users, this session seems valid and I can get along with the rest of my application logic.

My question is, how can a session created in Step 2 be immediately invalid in Step 3?

phi1ipp · December 11, 2020, 4:27pm

the token is a one-time thing, if you exchanged it for a cookie, you can’t use it anymore

stensonb · December 12, 2020, 1:02am

I misspoke. Step 3 should read:

“Using the session cookie from above…”

However, I was able to clarify my user’s experience, and have eliminated this as a problem. Thanks.

I am curious about that 200 response, however (rather than the 302 described in the referenced doc).

phi1ipp · December 12, 2020, 1:55am

at some cases it might be 200 with a form, which will be auto-submitted. I can’t recall if it maybe the same case here?!